Bringing Accountability to the Cloud: Addressing Emerging Threats and Legal Perspectives

  • Massimo Felici
  • Martin Gilje Jaatun
  • Eleni Kosta
  • Nick WainwrightEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 182)


This paper is concerned with accountability in cloud ecosystems. The separation between data and data subjects as well as the exchange of data between cloud consumers and providers increases the complexity of data governance in cloud ecosystems, a problem which is exacerbated by emerging threats and vulnerabilities. This paper discusses how accountability addresses emerging issues and legal perspectives in cloud ecosystems. In particular, it introduces an accountability model tailored to the cloud. It presents on-going work within the Cloud Accountability Project, highlighting both legal and technical aspects of accountability.


Accountability Data governance Cloud computing 



This work has been partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD – Cloud Accountability Project. Figure 2 Threats in a Cloud Ecosystem is taken from a presentation by Siani Pearson. Figure 4 Example of data flows in a cloud ecosystem is based on original by Karin Bernsmed. We also would like to thank the contributions to the accountability conceptual framework of our partners within the Cloud Accountability Project: Daniele Catteddu, Giles Hogben, Amy Holcroft, Theofrastos Koulouris, Ronald Leenes, Christopher Millard, Maartje Niezen, David Nuñez, Nick Papanikolaou, Siani Pearson, Daniel Pradelles, Chris Reed, Chunming Rong, Jean-Claude Royer, Dimitra Stefanatou, Vasilis Tountopoulos, Tomasz Wiktor Wlodarczyk.


  1. 1.
    European Commission: Advances in Clouds – Research in future cloud computing. Expert Group Report, Public version 1.0. European Union (2012)Google Scholar
  2. 2.
    ENISA: Cloud computing: benefits, risks and recommendations for information security. European Network and Information Security Agency (2009)Google Scholar
  3. 3.
    Mell, P., Grance, T.: The NIST Definition of Cloud Computing. NIST Special Publication 800-145 (2011)Google Scholar
  4. 4.
    Article 29 Data Protection Working Party: Opinion 3/2010 on the principle of accountability, 00062/10/EN WP 173 (2010)Google Scholar
  5. 5.
    The Galway Project: Accountability: A compendium for stakeholders. The Centre for Information Policy Leadership (2011)Google Scholar
  6. 6.
    Guagnin, D., et al. (eds.): Managing Privacy Through Accountability. Palgrave Macmillan, Basingstoke (2012)Google Scholar
  7. 7.
    Weitzner, D.J., et al.: Information accountability. Commun. ACM 51(6), 82–87 (2008)CrossRefGoogle Scholar
  8. 8.
    Pearson, S.: Toward accountability in the cloud. IEEE Internet Comput. 15(4), 64–69 (2011)CrossRefGoogle Scholar
  9. 9.
    Stilgherrian: Collateral damage in the copyright wars. Accessed June 2013
  10. 10.
    Bennett, C., Molnar, A., Parsons, C.: Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practice. Accessed 28 Jan 2013
  11. 11.
    Dumortier, J., Goemans, C.: Legal challenges for privacy protection and identity management. In: Jerman-Blažič, B., Schneider, W., Klobučar, T. (eds.) Security and Privacy in Advanced Networking Technologies. NATO Science Series, III: Computer and Systems Science, vol. 193, pp. 191–212. IOS Press, Amsterdam (2004)Google Scholar
  12. 12.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 23 Nov 1995, pp. 0031–0050 (1995) Google Scholar
  13. 13.
    Kuner, C.: European Data Protection Law – Corporate Compliance and Regulation, p. 51. Oxford University Press, Oxford (2008)Google Scholar
  14. 14.
    Walden, I.: Privacy and data protection. In: Reed, C., Angel, J. (eds.) Computer Law: The Law and Regulation of Information Technology, 7th edn. Oxford University Press, Oxford (2011)Google Scholar
  15. 15.
    Holznagel, B., Sonntag, M.: A case study: the JANUS project. In: Nicoll, C., Prins, J.E.J., van Dellen, M.J.M. (eds.) Digital Anonymity and the Law – Tensions and Dimensions, Information Technology and Law (No. 2). TMC Asser Press, The Hague (2003)Google Scholar
  16. 16.
    Proposal for a General Data Protection Regulation, COM (2012) 11 final, 25 January 2012Google Scholar
  17. 17.
    Löhr, H., Sadeghi, A.-R., Winandy, M.: Securing the e-health cloud. In: Veinot, T. (ed.) Proceedings of the 1st ACM International Health Informatics Symposium (IHI’10), pp. 220–229. ACM (2010)Google Scholar
  18. 18.
    Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud Computing, 01037/12/EN, WP196 (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Massimo Felici
    • 1
  • Martin Gilje Jaatun
    • 2
  • Eleni Kosta
    • 3
  • Nick Wainwright
    • 1
    Email author
  1. 1.Hewlett-Packard LaboratoriesBristolUK
  2. 2.SINTEF ICTTrondheimNorway
  3. 3.Tilburg UniversityTilburgNetherlands

Personalised recommendations